Latest GCSB revelations reinforce moving to Cloud for Central Government and Private Companies

Ooops… This is off to print as well, but will be back Monday.

The GCSB released some statistics in the last week that say cyber attacks on New Zealand networks is up sixty percent. As well as that factoid, it was interesting to see the GCSB, much like it’s United Kingdom counterpart, getting into the private spying business on what appears to be a consultancy type basis. All of this on the back of a schizophrenic approach to Cloud services from Central Government where GCSB says no, then looks like they are selling services to ensure security, while the government has a Cloud First Policy, that would solve the security problem.

Here we go again. The GCSB on a PR campaign to smarten itself up and assert authority in the ICT Security area.

“Director of the Government Communications Security Bureau (GCSB), Ian Fletcher said both the number of cyber security incidents and the cost of dealing with them was rising.The GCSB is responsible for keeping sensitive government data secure and also provides protection to selected private companies through a cybersecurity programme.” – Source

That may be the case, however this approach is, in my opinion, counter-intuitive.

“The Government came to the view that it would be right for the GCSB to step out and offer a kind of top up service to a number of government organisations and a number of private organisations.

“Those are organisations we’ve chosen to talk to on the basis of the significance they play in NZ’s national life.”

Mr Fletcher said revealing the private companies the Government is working with would defeat the fundamental object of the exercise, which is to make their systems safer than would otherwise be the case.

“Our objective was to respond to the evident advanced threats that had emerged globally and here, that generally involved attempts to obtain persistent access to valuable data and to be able to remove it.”

This is the same service as the GCHQ, the U.K. version of the GCSB, offers.

The GCSB, however, have recently updated the NZISM Manual, which if taken in the letter of the law, basically stops the use of Cloud services (my opinion). Now, we see them raising the specter of increasing attacks and telling us that they are working alongside government departments and private companies in some kind of “consultative” (my words) role.

Surely, moving those government and private company ICT services into the Cloud would increase security. In fact, I would suggest that they do.

You see, if you run your own equipment, data centres, and ICT services as an agency or private company you are up for a gigantic amount of money to secure them, if you ever can. Attackers know exactly where you live and unless you are running the latest and greatest, up to date, in depth security systems, patching, and process, then you are far more likely to be compromised than if you choose to take up a mature Cloud service from the big New Zealand providers or international providers.

Why?

Let’s imagine you have your Cloud service in Revera, Datacom, Catalyst, Microsoft, or Amazon. Each has an increasing scale of security that far outstrips anything that a single organisation can achieve. The economic scale allows these companies to employ security analysts and tools that are, to be frank, probably the envy of the GCSB. Not only does an attacker have to make their way through that massive security demilitarised zone, it then has to find the target in a multi-tenanted environment that could include millions of customers, and even then, DDoS or other denial of service attacks are completely stumped by the massive scalability of the service, all the time watched by state of the art security systems with hundreds of eyes on analysts.

It’s more likely safer to have your sensitive, restricted, and secret data in an accredited Cloud service.

So why is it important to keep raising the issue. It’s pretty simply really, a lot of the advice that the Western sigint communities have provided in relation to ICT services, is counter-productive, in my opinion. Worse, it is counter to what the GCIO says we, government, should be doing. And we aren’t even talking about the absolute mess the NSA has created in the U.S. market.

Here’s some more data:

The CIA bought over $600m of Amazon Cloud services this year. If it’s good enough for them, why not for New Zealand agencies?

All New Zealand agencies are now using some kind of SaaS service if not IaaS, and PaaS. I.e. The horse has bolted, so why not deal with what we have.

The U.S. Government has a process, called FedRamp, that allows the accreditation of Cloud services. So do we, thanks to DIA.

The U.K.’s G-Cloud allows the same. As does DIA here.

Canada has been working on something similar.

Even the Australians in recent months have been relaxing their attitude.

There is no imperative, despite the belief there is, that says we can’t store our data offshore.

Every progressive government on the planet has moved past, don’t use Cloud, to providing guidelines on how to use Cloud.

This sigint advice, using the fig-leaf of terrorism as an excuse, is putting us at more risk than not, in my opinion. It’s confusing, look at this article as an example and the left-hand, right-hand, disinformation that exists:

The slogan of the Government Communications Security Bureau used to be “Mastering the Internet for the benefit of New Zealand”. Those words have been quietly removed from the GCSB website. Possibly because it drew an unwelcome link to the British GCHQ’s “Mastering the Internet” mass surveillance programme exposed in documents from the US National Security Agency whistleblower, Edward Snowden, in 2013.

In the words of GCSB director, Ian Fletcher, CORTEX is “a kind of top-up service” for important government and corporate computer networks which are at risk from sophisticated cyber attacks.

The Government won’t go into the specifics of how CORTEX works or which organisations use it. It also won’t say whether the GCSB has the ability to launch cyber attacks of its own. In Mr Fletcher’s words “either confirming or denying a capability wouldn’t be a step we are prepared to contemplate.” (As a side note, the NSA came out this week to say that China could probably shut down their [the U.S.] power grid. But the GCSB won’t tell us about threats?)

A computer security expert and GCSB sceptic, Daniel Ayers, isn’t satisfied by that response. “I think they are being more secretive than they need to be…There are private citizens in New Zealand that have the ability to carry out hacking so I can’t fathom why there would be any prejudice to the security or defence of New Zealand.”

Ms Curran lists what she described as a “significant series of data breaches right across government for the last four or five years” including Ministry of Social Development kiosk security flaws and holes in the Ministry of Justice website.”There’s enough of these issues to raise serious issues about the lack of systemic approach to IT security and risk identification across government” She identifies the cause as the lack of a mandatory computer security standard which government agencies can be audited against.

The GCSB has a Government Information Security Manual which agencies are supposed to follow but it isn’t compulsory and in 2012 only three percent of agencies had assessed whether they complied with it.

It’s a shambles. Clare Curran doesn’t seem to understand the terrible implications of a mandatory computer security standard. It could literally halt all progress toward the digital citizen.

One thing is for sure, the amount of money that agencies are spending to try and decipher the contradictory advice must be exceptionally high. The latest release of the NZISM, across government, has everyone scratching their heads over how to manage it. If they have to retrofit thousands of applications across the seventy plus central agencies then the cost will be billions and all other work would likely have to stop.

Meanwhile, the DIA, well, part of the DIA, has the right answer. Utilising Cloud is likely to increase security and the use of Cloud remains the risk of the Chief Executive and their organisation. And why, if we have a GCIO, and a GCTO, are we not simply following that advice? Why are we evening listening to GCSB when they actually don’t have a mandate?

It really isn’t that hard. Is it? We need to exploit new technology to try and achieve what it is that Government has been tasked to deal with in the digital space, and when you have a coterie of time resistance laggards biting your ankles, it makes it damn hard.

The bottom line is that Cloud is more secure than on-premise, if you do it right.

One comment

I agree with many points highlighted by this article. In particular: “Every progressive government on the planet has moved past, don’t use Cloud, to providing guidelines on how to use Cloud”.

The guide published by DIA*1 on “security and privacy considerations when using the cloud” is sensible and educates people on the use of the cloud. To be honest it much better than other cloud education materials we have seen. It is comprehensive and provides enough background information for people to make decisions and reach their own conclusions.

I believe that education and transparency will lead us to better results using the cloud. In that spirit, we wrote a document that takes readers through the guidance in the light of our cloud services at Catalyst*2.